The National Cyber Security Centre Finland’s weekly review – 37/2023

Topics covered in this week’s review

• Active scam call campaign on the eve of new regulation entering effect
• Handful of ransomware attacks in recent months 
• Traficom’s National Cyber Security Centre Finland supports the improvement of municipalities’ cyber security
• Data breaches and phishing made for stormy Cyber Weather in August

Active scam call campaign on the eve of new regulation entering effect

The NCSC-FI has once again received numerous reports of phone number (caller ID) spoofing from both individual citizens and companies. The spoofed numbers have been used for both scam and harassment calls. While the phenomenon is by no means new, the number of cases reported has been rising recently.

Going forward, phone number spoofing and scam calls will be tackled in Finland based on a revised Traficom regulation. Finnish Transport and Communications Agency Traficom’s regulation 28, which was updated on 16 May 2022, imposes obligations on telecommunications operators to prevent caller ID spoofing and the transmission of scam calls to recipients. The obligations will enter into effect for mobile phone numbers on 2 October 2023.

We also wrote about the topic in our weekly review 14/2023 (External link)

Read more: Traficom and Finnish telecommunications operators join forces to help customers by stopping caller ID spoofing (External link)

Handful of ransomware attacks in recent months 

Over the past few months, the NCSC-FI has received a handful of reports of ransomware attacks. The impacts of ransomware attacks vary depending on how the affected organisations respond to them and how far the ransomware has spread. In some cases, a ransomware attack can completely paralyse the affected organisation, while at other times the effects are limited to a single server. Whatever the case may be, having up-to-date backups is essential for recovery. We also wrote about ransomware earlier this year based on questions submitted to the NCSC-FI. (External link)

Ransomware can destroy or encrypt an infected organisation’s files and demand ransom for them, but even paying the ransom is no guarantee that the files will actually be restored. Because of this, it is crucial for organisations to have backups of their files and systems. For more information, please see our weekly review 24/2023 (External link).

What should you do if your organisation suffers a ransomware attack?

One of the attack vectors for ransomware targeting companies is unpatched software. The unpatched component can be either a service directly open to the internet or a system in the company’s internal network. These are often accessed directly, or, in the case of internal network systems, via phishing attacks.

If your organisation is targeted by a ransomware attack, it is imperative to take swift action internally and in cooperation with your IT service provider(s). You should also always file a police report. Cyber incidents can also be confidentially reported to the NCSC-FI, and the NCSC-FI also helps organisations handle them. Reports submitted to the NCSC-FI also contribute to the building of a national situational picture of cyber security which is shared with various actors, from individual citizens and organisations all the way to the highest levels of government.

Earlier this year, vocational education and training provider Keuda published their final report on the ransomware attack that they suffered last year (in Finnish) (External link). The report is valuable reading for anyone interested in the subject.

Do not pay the ransom

Criminals have found ransomware an effective way to benefit financially, because organisations unprepared for the threat are easy targets. Paying the ransom to resolve the situation is not the right solution, however. Payment does not necessarily guarantee that the data will be restored or even prevent the blackmail or other attacks from continuing. The attacker’s objective may also be simply to destroy the data, which means that the blackmail is just a smokescreen. In that case, the data cannot be restored even by paying the ransom. A ransomware attack can also lead to the attacked organisation’s data being leaked.

Read our instructions on how to respond to ransomware attacks for organisations here (External link)(PDF).

Read our instructions on how to respond to ransomware attacks for organisations’ management here (External link)(PDF).

Traficom’s National Cyber Security Centre Finland supports the improvement of municipalities’ cyber security

Municipalities play a key role in and have a duty to provide various public services. Because of this, municipalities also maintain data networks that are used to process and manage large volumes of various types of data. The more public services continue to digitalise, the more important it becomes to take proper care of the cyber security of online services, data networks and information pools. The single most important information security act for an organisation is to be aware of the current level of their information security. This awareness serves as the basis for determining what should be improved. However, after this, you also need to follow through on the necessary development measures.

Traficom’s National Cyber Security Centre Finland provides municipalities with access to several free-of-charge services for developing and improving their cyber and information security. These services have been, and continue to be, developed in collaboration with municipalities to ensure that they serve their users in the best possible manner. Other parties involved in the development and implementation of these services include the National Emergency Supply Agency and the Ministry of Finance.

The Hyöky service being launched in September 2023 is a free-of-charge and easy-to-use service that municipalities can use to map their attack surfaces on public networks. This information can help municipalities secure their operating capability and services. The larger the attack surface, the greater the risk that malicious actors can gain access to critical ICT assets.

Read more about the subject in our article here (External link)(in Finnish).

Data breaches and phishing made for stormy Cyber Weather in August

The Cyber Weather in August was rainy, perhaps heralding the upcoming autumn. Phishing attacks were frequent, and the Citrix Netscaler vulnerability led to several data breaches in Finland. The exploitation of the vulnerability seemed to have been swift and automated. This is yet another great example of why you should always install patches and updates as soon as they become available.

Read the full Cyber Weather report here (External link)(in Finnish).

Vulnerabilities

CVE: CVE-2023-4863 and CVE-2023-4863
CVSS: Not known
What: Critical vulnerabilities in Google Chrome browser
Product: Google Chrome
Fix: Update Chrome

CVE: CVE-2023-36761 
CVSS: 6.2
What: Already exploited vulnerability in Microsoft Word
Product: Microsoft Word
Fix: Update to the latest version

Microsoft also released other updates and patches on Patch Tuesday, which you can read more about here (External link).

CVE: CVE-2023-30908, CVE-2023-2650, CVE-2022-4304
CVSS: 9.8
What: Critical vulnerability in HPE OneView software
Product: HPE OneView
Fix: Update HPE OneView

CVE: CVE-2023-4863
CVSS: Not known
What: Critical vulnerability in Mozilla Firefox browser
Product: Mozilla Firefox
Fix: Update Firefox